Never let go! Zenis virus interprets ransomware as the highest level of encryption, and zenis is never ignored.

Never let go! Zenis virus interprets ransomware as the highest level of encryption, and zenis is never ignored.

Never let go! The Zenis virus has the strongest ransomware encryption level. Recently, the  security center has detected a ransomware named "Zenis", which is named by the author of the virus. Unlike the ransomware virus that encrypts common files, the virus encrypts files in over 200 formats on the device after running, in addition, all format files under the non-system drive letter will also be locked, and even the exe executable program will not be released. At the same time, the virus also deletes backup files in the system to prevent important data from being recovered.

The following is a detailed analysis of the virus.

Virus Initialization

First, the virus first determines the execution condition during execution:

1. The producer program is named iis_agent32.exe.

2. Check whether the Active value exists in the HKCU \ SOFTWARE \ ZenisService item of the Registry.

When the file name is not iis_agent32.exe or the registry key value already exists, exit without encryption:

Figure 1

Figure 2

After the execution conditions are met, the following command is executed to delete the Shadow Copy, disable Startup Repair, and clear System Event Logs (generally, event logs are deleted through 3389 intrusion ), the following processes are also detected and ended:

Process name

Remarks

SQL

MSSQL database Process

Taskmgr

Task Manager Process

Regedit

Registry Editor Process

Backup

Backup program-related processes

Table 1

Code for deleting shadow copies, disabling startup repair, clearing system event logs, and killing some processes:

Figure 3

File encryption

Zenis uses a relatively traditional encryption method. It uses RSA 1024 + RC4 to encrypt files. That is, the virus generates an RSA 1024 Session Key on each user's machine, and an RC4 Session Key for each file.

For the decryption private key of RSA 1024 generated locally by the user, the virus uses another built-in RSA public key in the Code for encryption (the private key corresponding to the public key is in the hands of the virus author, not released ). The generated RSA 1024 encryption public Key is used to encrypt the RC4 Key generated by each file.

The encrypted file formats are embedded in virus programs. There are 204 file formats. It is also worth mentioning that even if the file extension is not included in this list, it does not mean security-because the virus encrypts all files not under the system drive letter (backup files are deleted ).

The encryption process is as follows:

Figure 4

Overview of keys used:

Key

Description

RPUBKEY

RSA 2048 Root Public Key, hard-coded in the program

RPIVKEY

RSA 2048 Root Private Key, held by the author, not publicly available currently

SPUBKEY

RSA 1024 Session Public Key, the unique Session KEY (Public Key) of each victim, used to encrypt the RC4 KEY

SPIVKEY

RSA 1024 Session Private Key, which is the unique Session KEY (Private Key) of each victim, used to decrypt the RC4 KEY

FILEKEY

RC4 256Bit KEY, which is generated for each file. SHA256 is generated and calculated using 'makerandomstr (64) '.

USERFLGKEY

RC4 512Bit KEY, which is generated by each victim user. SHA512 is generated and calculated using 'makerandomstr (128) '.

ENCFILEKEY

The FILEKEY encrypted by SPUBKEY is stored in the encrypted file.

ENCRYPTED

Use userflgkeyto encrypt spivkeyand then use rpubkeyto encrypt and then write it to the end of zenis-instructions.html

Table 2

First, the virus generates a 1024-bit RSA_Key-the Public Key SPUBKEY used for encryption and the private key SPIVKEY used for decryption. The random RC4 key USERFLGKEY is used to encrypt the New RSA 1024 to decrypt the private key SPIVKEY, and then the RC4 key USERFLGKEY is encrypted with the built-in RSA 2048 encryption Public Key RPUBKEY. The generated string data will replace the % ENCRYPTED % field in the ransomware information for decryption:

The encryption code is as follows:

Figure 5

Figure 6

The built-in RSA 2048 encryption public key of the virus is as follows (the private key is decrypted by the author ):

Figure 7

Code related to the file encryption process one by one:

Figure 8

Figure 9

The virus program writes the key information to the end of the encrypted file:

Figure 10

The encryption code of RC4 is as follows:

Figure 11

The following table lists the encrypted file extensions:

. Txt

. Doc

. Docx

. Xls

. Xlsx

. Ppt

. Pptx

. Odt

. Jpeg

. Png

. Csv

. SQL

. Mdb

. Sln

. Php

. Asp

. Aspx

. Html

. Xml

. Psd

. SQL

. Mp4

. 7z

. Rar

. M4a

. Wma

. Avi

. Wmv

. Csv

. D3dbsp

. Zip

. Sie

. Sum

. Ibank

. T13

. T12

. Qdf

. Gdb

. Tax

. Pkpass

. Bc6

. Bc7

. Bkp

. Qic

. Bkf

. Sidn

. Sidd

. Mddata

. Itl

. Itdb

. Icxs

. Hvpl

. Maid

. Hkdb

. Mdbackup

. Syncdb

. Gho

. Cas

. Svg

. Map

. Wmo

. Itm

. Sb

. Fos

. Mov

. Vdf

. Ztmp

. Sis

. Sid

. Ncf

. Menu

. Layout

. Dmp

. Blob

. Esm

. Vcf

. Vtf

. Dazip

. Fpk

. Mlx

. Kf

. Iwd

. Vpk

. Tor

. Psk

. Rim

. W3x

. HCG

. Ntl

. Arch00

. Lvl

. Snx

. Cfr

. Ff

. Vpp_pc

. Lrf

. M2

. Mcmeta

. Vfs0

. Mpqge

. Kdb

. Db0

. Dba

. Rofl

. Hkx

. Bar

. Upk

. Das

. Iwi

. Litemod

. Asset

. Forge

. Ltx

. Bsa

. Apk

. Re4

. Sav

. Lbf

. Slm

. Bik

. Epk

. Rgss3a

. Pak

. Big

. Wallet

. Wotreplay

. Xxx

. Desc

. Py

. M3u

. Flv

. Js

. Css

. Rb

. P7c

. Pk7

. P7b

. P12

. Pfx

. Pem

. Crt

. Cer

. Der

. X3f

. Srw

. ARG

. Ptx

. R3d

. Rw2

. Rwl

. Raw

. Raf

. Open

. Nrw

. Mrwref

. Mef

. Erf

. Kdc

. Dcr

. Cr2

. Crw

. Bay

. Sr2

. Srf

. Arw

. 3fr

. Dng

. Jpe

. Jpg

. Cdr

. Indd

. Ai

. Eps

. Pdf

. Pdd

. Dbf

. Mdf

. Wb2

. Rtf

. Wpd

. Dxg

. Xf

. Dwg

. Pst

. Accdb

. Mdb

. Pptm

. Pptx

. Ppt

. Xlk

. Xlsb

. Xlsm

. Xlsx

. Xls

. Wps

. Docm

. Docx

. Doc

. Odb

. Odc

. Odm

. Odp

. Ods

. Odt

Table 3

After encryption is completed, the file name will also be changed to the format of "Zenis-[2 random characters]. [12 random characters:

Figure 12

For example 361test.txt is encrypted will be changed to: Zenis-EO.V1OqyzpYfV5z

Figure 13

When a virus traverses a file, once it finds that the file extension meets the characteristics of the backup file, it will not be encrypted, but will overwrite the file with the content immediately three times before deleting the backup file. This is to make it difficult for recruiters to recover files from backups. The list of backup file extensions to be deleted is as follows:

. Win

. Wbb

. W01

. V2i

. Trn

. Tibkp

. Sqb

. Rbk

. Qic

. Old

. Obk

. Ful

. Bup

. Bkup

. Bkp

. Bkf

. Bff

. Bak

. Bak2

. Bak3

. Edb

. Stm

Table 4

The related code is as follows:

Figure 14

Figure 15

In addition, the virus will exclude the system and some soft directories, and the files in these directories will not be encrypted:

Windows

NVIDIA Corporation

Program Files

Microsoft. NET

ProgramData

Internet Explorer

PerfLogs

Kaspersky Lab

$ Recycle. Bin

McAfee

Microsoft

Avira

Microsoft Help

Spytech software

Microsoft App

Sysconfig

Certification Kit

Avast

Windows Defender

Dr. Web

ESET

Symantec

COMODO

Symantec_Client_Security

Windows NT

System volume information

Windows Kits

AVG

Windows Mail

Microsoft Shared

Windows Media Player

Common Files

Windows Multimedia Platform

Outlook Express

Windows Phone Kits

Movie Maker

Windows Phone

Chrome

Silverlight Kits

Mozilla Firefox

Temp

Opera

Windows Photo Viewer

YandexBrowser

Windows Protable Devices

Ntldr

Windows Slidebar

Wsus

WindowsPowerShell

Public

Table

The encryption used by the internal rsa to generate a prompt message "zenis-instructions.html", including instructions and the email address Code related to the ransomware Author:

Figure 16

The virus-generated ransomware page contains a hidden Base64-encoded string, which is actually the decryption private key as described above-the double encryption. To decrypt a string to obtain the decryption private key, you can only use the private key in the hands of the virus author. After successful extortion, the virus author (if trustworthy) also sends the corresponding decryption program or key to the target user through the information:

Figure 17

Figure 18

 anti-virus experts tried to contact the virus author's email: After successfully decrypting a file to prove their decryption capabilities, transfer 0.2018 bitcoin (about 13000 RMB at the time of this article) to this wallet address: 17o83ughmzkemkmslz4bhrmf75urrentlpkf

Figure 19

Figure 20

Conclusion

Due to the various encryption formats of Zenis ransomware, files related to backup will be overwritten and deleted multiple times, some PE files and data files of some common software may fail to run normally after they are encrypted or deleted. Therefore, compared with normal ransomware, the virus is more destructive to the system. In addition, the virus may be attacked by intrusion into the Remote Desktop weak password service for virus injection. Therefore, it is recommended that the server user:

1. Change to a strong password;

2. Modify the default 3389 port;

3. install the latest patch on the server;

4. Enable network identity authentication NLA;

5. install security software for protection.  of the security guard has taken the lead in scanning and killing the ransomware in China. At the same time, can defend against various ransomware.

Figure 21